27
Fraud Control Plan 2017–19 Governance Endorsement/Approval Date Last Approved Audit Committee 15 July 2016 Corporate Governance Board / Accountable Authority 27 July 2016 Version control Version Change Date Author July 2016 Fraud Control Plan 2017–19 Page 1

[Document title] · Web view3.5.Summary of fraud risks10 4.Fraud reporting, investigation and prosecution10 4.1.Detection of fraud10 4.2.How to report fraud11 4.3.Protection of person

  • Upload
    others

  • View
    0

  • Download
    0

Embed Size (px)

Citation preview

Page 1: [Document title] · Web view3.5.Summary of fraud risks10 4.Fraud reporting, investigation and prosecution10 4.1.Detection of fraud10 4.2.How to report fraud11 4.3.Protection of person

Fraud Control Plan 2017–19

Governance Endorsement/Approval Date Last ApprovedAudit Committee 15 July 2016Corporate Governance Board / Accountable Authority

27 July 2016

Version control

Version Change Date Author

1 2017–19 Plan 16 July 2016 John De Nato2 Updates 5 July 2016 Rhys Benny

Next Review Date: 1/10/2019

July 2016 Fraud Control Plan 2017–19 Page 1

Page 2: [Document title] · Web view3.5.Summary of fraud risks10 4.Fraud reporting, investigation and prosecution10 4.1.Detection of fraud10 4.2.How to report fraud11 4.3.Protection of person

Fraud policy statementThe [Document title](ACCC) and Australian Energy Regulator (AER) is fully committed to complying with the Commonwealth Fraud Control Framework 2014 to minimise the incidence of fraud through the development, implementation and regular review of a range of fraud prevention and detection strategies. The desired outcome of this commitment is the elimination of fraud.

Fraud prevention is about working and managing better to ensure honesty, professionalism and fairness in all our dealings and is the responsibility of all of our employees. Employees play an essential part in managing our potential exposure to fraudulent activity by ensuring that they behave in an ethical way consistent with the APS Code of Conduct, and reporting any incidents of suspected fraud.

Managers carry the same individual responsibilities for their actions as other employees however, in addition to their individual responsibilities they are responsible for:

identifying potential fraud risks in their area of responsibility

managing fraud risks through the development and use of appropriate controls

monitoring compliance with controls

promoting ethical behaviour by employees.

Any person who reports a suspected incident of fraud can be assured that any information that they provide will be treated appropriately and followed up diligently.

We consider the act of committing a fraud within the ACCC and AER a very serious matter. Any such acts will be dealt with to the maximum extent possible within existing legislative arrangements. This includes reporting cases of fraud to the Australian Federal Police for investigation and prosecution under Commonwealth and State legislation as appropriate.

I appreciate each ACCC and AER employees’ individual commitment and support to ensuring that the incidence of fraud in our agency is minimised. All instances of suspected fraud should be reported to the FCO (Director, Corporate Operations, Governance & Support) or your SES or General Manager.

Rod Sims

Accountable Authority

3 August 2016

July 2016 Fraud Control Plan 2017–19 Page 2

Page 3: [Document title] · Web view3.5.Summary of fraud risks10 4.Fraud reporting, investigation and prosecution10 4.1.Detection of fraud10 4.2.How to report fraud11 4.3.Protection of person

Fraud Control Plan 2017–19....................................................................................................1

Fraud policy statement.............................................................................................................2

1. Overview...........................................................................................................................4

1.1. Introduction................................................................................................................4

1.2. Policy framework.......................................................................................................4

1.3. Objective....................................................................................................................5

1.4. Definition of fraud.......................................................................................................5

1.5. Organisation culture...................................................................................................5

2. Fraud control principles.....................................................................................................6

2.1. Responsibilities for fraud...........................................................................................6

2.2. Key fraud prevention strategies and actions..............................................................6

3. Fraud risk assessment......................................................................................................9

3.1. Fraud risk assessment methodology.........................................................................9

3.2. Risk assessment........................................................................................................9

3.3. Internal controls and internal audit.............................................................................9

3.4. Annual reporting obligations......................................................................................9

3.5. Summary of fraud risks............................................................................................10

4. Fraud reporting, investigation and prosecution...............................................................10

4.1. Detection of fraud....................................................................................................10

4.2. How to report fraud..................................................................................................11

4.3. Protection of person reporting suspected fraud and anonymous disclosure...........11

4.4. Initial assessment....................................................................................................12

4.5. Threshold requirements and reporting to the AFP..................................................12

4.6. Further internal consideration..................................................................................13

4.7. Prosecution..............................................................................................................13

4.8. Recovery of money..................................................................................................13

4.9. Reporting and recording of investigation outcomes................................................13

4.10. Review...............................................................................................................14

Attachment A—Risk assessment criteria...............................................................................15

Risk Rating...............................................................................................................15

Risk Appetite............................................................................................................16

Attachment B—Fraud risk register.........................................................................................17

Attachment C—Agency Organisation Chart as at June 2016................................................38

Attachment D—Agency Fraud incident register.....................................................................39

July 2016 Fraud Control Plan 2017–19 Page 3

Page 4: [Document title] · Web view3.5.Summary of fraud risks10 4.Fraud reporting, investigation and prosecution10 4.1.Detection of fraud10 4.2.How to report fraud11 4.3.Protection of person

1. Overview1.1. IntroductionThe Australian Competition and Consumer Commission (ACCC) is an independent Commonwealth statutory authority under the Competition and Consumer Act 2010 (CCA). The ACCC has a Chair, two Deputy Chairs, and four Commissioners.

The Australian Energy Regulator (AER) is also created under the CCA and its Board is an independent entity comprising three members who occupy statutory appointments. The ACCC Chair is the Accountable Authority for both the ACCC and AER (collectively known as the agency).

The ACCC’s main role is to enforce the CCA and a range of additional legislation, promoting competition, fair trading and regulating national infrastructure. The main goal of the ACCC’s is to make markets work.

The work of the AER encompasses oversight of wholesale and retail electricity and gas markets and regulation of energy network infrastructure. In carrying out its functions, the AER is directed by the objectives of national energy legislation: to promote efficient investment in, and efficient operation and use of, energy services for the long term interests of energy consumers with respect to price, quality, safety, reliability and security of supply.

The key strategies the ACCC and AER pursue are to:

maintain and promote competition;

protect the interests and safety of consumers, and support fair trading in markets affecting consumers and small business;

promote the economically efficient operation of, use of, and investment in infrastructure; and identify market failure; and

promote efficient investment in, and efficient operation and use of, energy services for the long term interests of consumers with respect to price, quality, safety, reliability and security.

A copy of the agency organisation chart can be found at Attachment C.

1.2. Policy frameworkSection 16 of the Public Governance, Performance and Accountability Act 2014 (PGPA Act) provides that the Accountable Authority of an entity must establish and maintain an appropriate system of risk oversight and management for the entity and an appropriate system of internal controls for the entity, including implementing measures directed at ensuring officials of the entity comply with the finance law.

Section 10 of the PGPA rule provides a legislative basis for the Commonwealth’s fraud control arrangements. It sets out clear, consistent and unambiguous minimum requirements for fraud risk management and controls to assist accountable authorities to meet their obligations under the PGPA Act.

Accountable authorities must be satisfied that their entities comply with the mandatory requirements in section 10 of the PGPA rule, regardless of whether all or part of an entity’s fraud control activities are outsourced. The requirements are:

conducting fraud risk assessments regularly and when there is a substantial change in the structure, functions or activities of the entity

developing and implementing a fraud control plan that deals with identified risks as soon as practicable after conducting a risk assessment

July 2016 Fraud Control Plan 2017–19 Page 4

Page 5: [Document title] · Web view3.5.Summary of fraud risks10 4.Fraud reporting, investigation and prosecution10 4.1.Detection of fraud10 4.2.How to report fraud11 4.3.Protection of person

having an appropriate mechanism for preventing fraud, including by ensuring that:

(i) officials in the entity are made aware of what constitutes fraud

(ii) the risk of fraud is taken into account in planning and conducting the activities of the entity

having an appropriate mechanism for detecting incidents of fraud or suspected fraud, including a process for officials of the entity and other persons to report suspected fraud confidentially

having an appropriate mechanism for investigating or otherwise dealing with incidents of fraud or suspected fraud

having an appropriate mechanism for recording and reporting incidents of fraud or suspected fraud.

Updating the fraud risk assessment and fraud control plan every two years ensures that the agency complies with its statutory obligations.

1.3. ObjectiveThis document analyses the exposure of the agency to fraud and the existing controls implemented that minimise fraudulent activities. It should be read in the context of the agency Corporate Plan, Annual Report and Risk Management Policy.

1.4. Definition of fraudThe agency recognises that a proactive rather than re-active fraud control plan is an integral part of its governance framework. The agency adopts the definition of fraud as given by the Commonwealth Fraud Control Framework 2014.

Fraud is, “dishonestly obtaining a benefit, or causing a loss, by deception or other means”.

Fraud is not restricted to obtaining monetary or material benefit. The benefits of fraudulent acts can either be tangible or intangible. They may include such things as unauthorised monetary gain as well as other benefits or advantages, including access to confidential information, preference for job selection, avoidance of disciplinary action and personal favours. The source of fraud may be internal (employee) or external (persons outside the organisation).

Fraud against the Commonwealth is an offence under chapter 7 of the Criminal Code Act 1995. Internal fraud is a contravention of the PGPA Act and also constitutes misconduct under the Public Service Act 1999.

The fraud control plan has been designed to be user friendly and contain policy and guidance, which will maintain the agency’s ongoing commitment to improve control structures and governance.

1.5. Organisation cultureThe opportunity for fraud within an organisation is influenced by the culture and context in which a business operates. Our agency has a mature program of internal audit testing which ensures established controls are effectively operating to prevent and detect fraud.

In addition, high standards of professionalism, integrity and work ethics are promoted, instilled and fostered in all agency staff through the example set by senior management. Specific guidance is provided to staff on fraud through various means including via the internet and newsletters. Induction procedures for new staff also include information on ethics and fraud related matters.

July 2016 Fraud Control Plan 2017–19 Page 5

Page 6: [Document title] · Web view3.5.Summary of fraud risks10 4.Fraud reporting, investigation and prosecution10 4.1.Detection of fraud10 4.2.How to report fraud11 4.3.Protection of person

Our people are committed to a workplace culture that promotes and maintains the standard of behaviour specified in the APS Values and Code of Conduct. Human resources policies and guidelines are underpinned by these principles.

In recent years we have also invested in leadership training for our current and prospective managers focusing on contemporary ethical leadership. A range of other initiatives underway are designed to improve the organisations cultural diversity and this work further strengthens our culture and provides an environment that minimises the risk of fraud.

2. Fraud control principles2.1. Responsibilities for fraudThe ACCC’s Chairman is responsible for the corporate governance of the agency as the entity’s Accountable Authority and has overall responsibility for fraud control, and for ensuring compliance with the Commonwealth Fraud Control Framework 2014.

The role of the agency’s Audit Committee is to oversee and review the fraud control framework, including the actions agreed to in this fraud control plan to satisfy itself that an effective framework is in place.

Corporate Operations, Governance and Support Unit (COGS) with support from the Chief Finance Officer (CFO) and Finance Branch are responsible for ensuring that the appropriate processes are in place to ensure that the risk of fraud in the agency is well managed. The Director, COGS is the Fraud Control Officer (FCO).

Management in the agency must exhibit to employees and clients a genuine and strong commitment to fraud control, and good practices. They are responsible for identifying and managing individual fraud risks across the organisation, and for implementing the treatments identified in this fraud control plan.

Management must also adopt a firm approach to dealing with fraudulent activity and penalising unacceptable behaviours, to retain the commitment of honest staff and to deter those who may be tempted to commit fraud. With the risk of detection, the severity of punishment must be seen to outweigh the possible gains from fraud.

Employees and contractors should take into account the need to prevent and detect fraud as part of their normal responsibilities. All employees and contractors also have the responsibility of reporting any fraudulent activity within agency that they become aware of or suspect. Reporting can be done through line management or the FCO.

All employees are encouraged to become familiar with the fraud control plan and contribute to its effective implementation, thereby assisting in minimising the incidence of fraud.

Risk management forms part of the business planning cycle contributes to business performance through minimisation of agency risks, including fraud control. It provides senior management and the Audit Committee with solid evidence that risk management is occurring within the agency, including on fraud.

2.2. Key fraud prevention strategies and actionsA number of key strategies and actions for each fraud control function have been identified through our obligation to adhere to best practice and in assessing the agency’s operating environment including its relevant risks.

July 2016 Fraud Control Plan 2017–19 Page 6

Page 7: [Document title] · Web view3.5.Summary of fraud risks10 4.Fraud reporting, investigation and prosecution10 4.1.Detection of fraud10 4.2.How to report fraud11 4.3.Protection of person

These include:

1. Raising awareness about what constitutes fraud, fraud prevention and how to report fraud.

2. Implementing strategies and processes to prevent, detect and monitor for fraud activity (see specifically Part 3 below).

3. Implementing processes to investigate and prosecute fraud activity where appropriate.

These elements are further outlined below.

Areas and Strategies Action Responsibility

Timing

Awareness

1. Maintenance of on-going fraud awareness program

Continue to deliver fraud awareness training during employee induction and via an eLearning module

FCO Ongoing

Continue to disseminate the fraud policy to employees. ACCCess article to be published annually.

FCO Annually in February

Highlight a fraud specific issue e.g. employee theft, fraud in procurement, improper use of credit cards.

FCO At least annually in June/July

Prevention & Detection

2. Implementation of a fraud risk assessment program

Formal update every two years and in light of significant changes in operations or occurrence of fraud

FCO June 2018 if not before

3. Implement strategies to reduce fraud risk

Management and internal audit to continue to review, test and improve specific controls that mitigate the risk of fraud within the organisation.

FCO Report annually to Audit Committee in June/July

Monitoring

4. Ensure fraud risks are considered as part of general business and during organisational change

Continue to ensure fraud risk is considered as part of annual business plan risk assessment

FCO Ongoing

Continue to ensure fraud risk is considered in all risk assessments for major projects

FCO Ongoing

Investigation

5. Conduct of investigations

If necessary, investigate allegations of potential fraud within the organisation.

FCO As necessary

(see Part 4)

July 2016 Fraud Control Plan 2017–19 Page 7

Page 8: [Document title] · Web view3.5.Summary of fraud risks10 4.Fraud reporting, investigation and prosecution10 4.1.Detection of fraud10 4.2.How to report fraud11 4.3.Protection of person

Areas and Strategies Action Responsibility

Timing

If necessary, investigations may be referred to the Australian Federal Police.

Prosecution

6. Prosecution action will be taken if there is a reasonable prospect of a conviction being secured

FCO will investigate and make a recommendation to Chief Operating Officer (COO) on whether to refer a matter to the DPP, who makes the final determination on legal action

FCO As necessary

Review

7. Review of Systems and Procedures (post fraud)

If a fraud is detected the control system involved will be independently reviewed to identify improvements.

FCO As necessary

8. Recovery of money/property lost through fraud

Recovery action will be undertaken where the likely benefit will exceed the recovery costs

FCO As necessary

9. Fraud Control Plan review

Review Fraud Control Plan every two years.

FCO June 2018

Insurance

10. Ensure appropriate risk financing against fraud

Review as part of annual insurance review

FCO In annual insurance review

Reporting

11. Ensure reporting obligations are complied with

All allegations of fraud to be reported to the COO

FCO As necessary

Any findings of fraud to be reported to the Audit Committee with all other reporting to the Committee made annually

FCO As necessary and annually

Allegations of fraud to be reported to the AFP in line with reporting thresholds

FCO As necessary

Accountable authority to certify to Minister compliance with fraud control guidelines in annual report

Chairman Annually

Agency to report on fraud to Australian Institute of Criminology

FCO Annually

July 2016 Fraud Control Plan 2017–19 Page 8

Page 9: [Document title] · Web view3.5.Summary of fraud risks10 4.Fraud reporting, investigation and prosecution10 4.1.Detection of fraud10 4.2.How to report fraud11 4.3.Protection of person

3. Fraud risk assessment3.1. Fraud risk assessment methodologyA key component of the fraud prevention program is the identification of fraud risks, assessing these risks and implementing appropriate controls.

The approach developed for this fraud risk assessment and fraud control plan is in accordance with the Commonwealth Fraud Control Framework 2014, AS/NZ ISO 31000-2009 Risk Management – Principles and Guidelines and Australian Standard AS 8001-2008 Fraud and Corruption Control.

Risk ratings are specific to the agency’s environment and reflect the agency’s risk management framework.

Key controls are listed against each individual risk. The list of controls is not intended to be an exhaustive list of the controls in place. The controls listed represent those controls which together form the framework for controlling the sources of each individual risk.

Assessments regarding the effectiveness of each control in mitigating the risks have been determined based on the views of key staff and their experience. Overall risk ratings have also been determined in this way.

3.2. Risk assessmentA review of the current fraud risk assessment was undertaken in June 2016 (with a full risk assessment having previously been conducted in July 2014). Fraud risks and controls were reviewed and updated during this process.

The assessment of the agency’s fraud environment is that overall there is a low to moderate fraud risk exposure. This conclusion is reached by considering all of the risks in context, and the fact that the majority of the risks identified were being adequately treated by existing controls.

3.3. Internal controls and internal auditThe design, development and maintenance of financial, administrative and operational systems, procedures and controls is paramount to the control of fraud, and will be undertaken at all times with a view to the possibility of fraud and ensuring an appropriate audit trail exists.

Adherence to established financial procedures as set out in the Accountable Authority Instructions (AAIs) available on the intranet shall be effectively communicated to staff involved and enforced by senior management.

Compliance with these procedures will be reviewed regularly and formal audits will be undertaken by internal audit as necessary. The results of these reviews will be reported to the Audit Committee as appropriate.

3.4. Annual reporting obligationsAt the end of each financial year the Accountable Authority is required under the Commonwealth Fraud Control Framework 2014 to certify to our Minister in our agency’s annual report that they are satisfied that their agency has prepared fraud risk assessments and fraud control plans, and has in place appropriate fraud prevention, detection, investigation, reporting and data collection procedures and processes that meet the specific needs of the agency and comply with the guidelines. This is completed annually as required.

July 2016 Fraud Control Plan 2017–19 Page 9

Page 10: [Document title] · Web view3.5.Summary of fraud risks10 4.Fraud reporting, investigation and prosecution10 4.1.Detection of fraud10 4.2.How to report fraud11 4.3.Protection of person

All entities must also collect information on fraud and provide it to the Australian Institute of Criminology (AIC), by 30 September each year to facilitate production of an AIC annual report on fraud against the Commonwealth and fraud control arrangements. This is also competed annually as required.

3.5. Summary of fraud risksThe detailed results of the fraud risk assessment are at Attachment B of the [subtitle].

A total of 18 risks were identified with 9 risks rated as medium and 9 risks rated low. No risks were rated as extreme or high. The fraud risk register contains details of the risks, associated controls and responsible officers for each of the 18 risks (see attachment B).

4. Fraud reporting, investigation and prosecutionThe agency’s approach to fraud prevention is outlined in the flowchart below.

Effectively the first step in the process is to ensure that appropriate detection mechanisms are in place, supported by effective reporting channels.

Once possible fraud is detected, an initial assessment is conducted by the FCO to determine the likely impact of the fraud instance. During this assessment the FCO will work with the Chief Operating Officer (COO) to determine whether further investigation is required internally or externally by the Australian Federal Police.

An investigation will then be conducted and completed as appropriate. Once the investigation is conducted and completed, the outcome of the investigation is reported to COO and the Chairman as Accountable Authority and the fraud register is updated.

The COO or FCO will also advise the Audit Committee of the commencement and completion of an investigation as appropriate.

The process will be completed by a review of policies and procedures to ensure that future instances of fraud can be further prevented.

Each of these steps is outlined in more detail below.

4.1. Detection of fraud

July 2016 Fraud Control Plan 2017–19 Page 10

Page 11: [Document title] · Web view3.5.Summary of fraud risks10 4.Fraud reporting, investigation and prosecution10 4.1.Detection of fraud10 4.2.How to report fraud11 4.3.Protection of person

The agency will conduct activities to raise awareness of the reporting channels available to all employees and actively encourage all employees and contractors to take into account the need to prevent and detect fraud as part of their normal responsibilities and to report suspected cases of fraud through the appropriate channels.

The strategies and actions and controls throughout this document will also be undertaken to further prevent fraud and ensure fraudulent activity is detected.

4.2. How to report fraud All suspected fraudulent or other improper conduct coming to the attention of any employee (regardless of its financial impact) must be escalated. In the first instance, the matter should be reported to that person's immediate supervisor or manager (where appropriate). The supervisor or manager receiving the report must, as soon as possible, refer the report to the FCO.

If the suspected fraudulent activity relates to the person's immediate supervisor or manager, the matter should be reported to the FCO or a member of the SES.

Fraud can be reported to the FCO using the [email protected] email address.

Employees should not endeavour to conduct their own investigation of any allegations of fraud.

These details on how to report fraud are made available to employees on the agency’s intranet site and the information reported should include (if available and without conducting any form of investigation):

details and dates of the suspected incident

details of the persons involved (including where relevant, details of the employee, supplier, member of other external party)

the value of the alleged misconduct or fraudulent conduct.

When reporting cases of suspected fraud, employees should observe the following guidelines:

Keep the matter confidential. Inform only those people who have a genuine need to know. This is to ensure the principles of natural justice are preserved. It is also important to avoid alerting the person alleged to have committed the fraud

If there are any documents that may assist with the investigation, do not write, mark or change the document. Minimise any handling of the document

Maintain documentation in a safe and secure manner at all times

The fraud email address is also on the agency’s internet site to facilitate external identification and reporting of fraud risk by our clients, customers and contractors

Allegations of fraud by key officers should be dealt with differently, including:

any allegations of fraud by the Chairman must be reported to the COO

any allegations of fraud by the FCO must be reported to the COO

any allegations of fraud by the COO must be reported to the Chairman

4.3. Protection of person reporting suspected fraud and anonymous disclosure

Details of the source of any allegation or information relative to such an allegation made against an employee or against an external party will not be disclosed to any person external to the agency unless:

July 2016 Fraud Control Plan 2017–19 Page 11

Page 12: [Document title] · Web view3.5.Summary of fraud risks10 4.Fraud reporting, investigation and prosecution10 4.1.Detection of fraud10 4.2.How to report fraud11 4.3.Protection of person

• legally compelled to do so under Commonwealth, State or Territory law

• required by the police as a consequence of the matter being reported to them

• the person making the allegation or providing the information has consented to the disclosure of their name.

If an employee makes an allegation or provides information in relation to an alleged fraud or other matter involving improper conduct, the employee should be aware that the information provided will be relied upon and the employee may be called upon to give evidence about their knowledge of the circumstances.

Employees may wish to report a suspected incidence of fraud anonymously instead of directly to the agency. This may be done so under Section 28 of the Public Interest Disclosure Act 2013 (PID Act).

If an employee makes a disclosure under the PID Act and the disclosure meets certain criteria, the employee is afforded immunity from civil, criminal or administrative liability (such as an action for defamation) that might otherwise apply for disclosing that information. It is a criminal offence under the PID Act for anyone handling the PID to disclose an employee’s identity as the discloser without their consent (subject to some exceptions).

An employee is also protected from reprisals or threatened reprisals including injury, dismissal or discrimination between them and other employees, even the employee is only suspected to have made a Public Interest Disclosure. An employee can take legal action if they suffer detriment as a result of making a disclosure.

4.4. Initial assessmentWhere fraud is suspected, the FCO shall advise the COO and arrange for the conduct of a preliminary investigation in accordance with the minimum standards for investigations established by the Australian Government Investigations Standards (AGIS) (as revised 2011).

The AGIS is a cornerstone of the Australian Government’s fraud control policy and is the minimum standard for agencies conducting investigations relating to the programs and legislation they administer. Under the AGIS an investigation seeks to obtain information relevant to an alleged, apparent or potential breach of the law.

The investigation is to consider:

whether sufficient facts have been disclosed from which there is reasonable cause to believe that an offence has been committed, or attempted to be committed

whether the matter is of a fraudulent nature within the terms of the definition of fraud

whether the offence, or attempted offence, satisfies the threshold reporting requirements (see below)

appropriate disclosure of personal information, noting that disclosure is not prohibited under agency secrecy/disclosure provisions.

Once the process of an initial investigation has been conducted the FCO will report to the COO with the findings for a decision on the next steps (with particular consideration of the threshold reporting requirements below). The COO will determine if it is appropriate to advise the Audit Committee of the existence of an investigation at this time.

4.5. Threshold requirements and reporting to the AFPIn determining whether a particular matter, fraudulent or otherwise, is of sufficient seriousness that it should be reported or referred to the AFP for investigation, the FCO will

July 2016 Fraud Control Plan 2017–19 Page 12

Page 13: [Document title] · Web view3.5.Summary of fraud risks10 4.Fraud reporting, investigation and prosecution10 4.1.Detection of fraud10 4.2.How to report fraud11 4.3.Protection of person

discuss the matter with the COO before consulting with the AFP to determine whether the referral is appropriate. The FCO will consider referring/reporting matters to the AFP where:

the estimated loss to the organisation from the fraud case exceeds $500

any non-financial benefit or advantage gained results in a significant loss to the agency

the fraud undermines confidence in a program or system

loss of credibility or confidence in the organisation or acute embarrassment for the agency/Minister

significant private advantage to an external party.

Fraudulent activity falling below the referring/reporting threshold may be referred/reported where there is reasonable cause to believe that the activity:

is part of a conspiracy or involves collusion

is part of a pattern of activity or is linked with previous patterns of activity (either of an individual or an organisation)

is linked to multiple offences

involves bribery or other forms of corruption

involves the use of a corporate credit card

involves disclosure of sensitive or classified information.

The requirement for the agency to report information on fraud does not detract from its authority to determine the appropriate remedy to be applied, that is, administrative action, recovery action, by use of internal disciplinary procedures, or whether further action will be taken in the matter.

Where matters are referred or reported to the AFP, the FCO will be the operational liaison point with the police authority.

4.6. Further internal considerationWhere a matter does not meet the referral/reporting requirements outlined in 4.5 but is still considered to be fraudulent activity, the FCO will discuss the matter with the COO and determine the appropriate course of action including any disciplinary action. At this time it will be considered whether the agency has the capability to investigate the matter or whether it would more appropriately be referred externally.

4.7. ProsecutionThe agency will abide by the Prosecution Policy of the Commonwealth when considering prosecution of a fraud matter.

4.8. Recovery of moneyShould a decision be made to consider the matter further internally, recovery action of money and or property lost through fraud will be undertaken where the likely benefit will exceed the recovery costs.

4.9. Reporting and recording of investigation outcomesOnce internal and external investigations have been completed, the FCO will update the Chairman of the outcome and update the fraud register.

July 2016 Fraud Control Plan 2017–19 Page 13

Page 14: [Document title] · Web view3.5.Summary of fraud risks10 4.Fraud reporting, investigation and prosecution10 4.1.Detection of fraud10 4.2.How to report fraud11 4.3.Protection of person

The COO or FCO will then advise the Audit Committee of the completion of the investigation and any appropriate details to ensure that a review of fraud risks is conducted to prevent any future fraud.

4.10. ReviewThis fraud control plan is to be reviewed at least every two years by the FCO and approved by the Audit Committee.

Relevant parts of this plan and associated procedures should also be reviewed upon the completion of an investigation.

July 2016 Fraud Control Plan 2017–19 Page 14

Page 15: [Document title] · Web view3.5.Summary of fraud risks10 4.Fraud reporting, investigation and prosecution10 4.1.Detection of fraud10 4.2.How to report fraud11 4.3.Protection of person

Attachment A—Risk assessment criteriaThe level of risk is defined by the relationship between likelihood and consequence applicable to the area of risk or area under review. The measures of risk adopted in the preparation of the fraud risk assessment and Fraud control plan are consistent with the agency Risk Management Framework.

The tables below were used to assess the likelihood, consequence, rating, and acceptability of each of the fraud risks identified.

Risk Rating

Safety Ailments not requiring medical treatment Minor Injury

1 serious injury causing hospitalisation or

multiple minor injuries

1 Life threatening injury or multiple serious

injuries causing hospitalisation

1 Death or multiple life threatening injuries

Reputational Self-improvement review required

Scrutiny required by internal committees or internal audit to prevent

escalation

Scrutiny required by external committee or

ANAO

Intense public, political and media scrutiny

evidenced by front page headlines and/or

television coverage.

Royal Commission/ Parliamentary enquiry

Financial 1% of Budget 2-5% of Budget >5% of Budget >10% of Budget >25% of Budget

Organisational Objectives

Very little consequence to achievement of

objectiveWould require some

adjustment to objectiveWould require significant adjustment to achieve

objective

Would threaten achievement of the

objective

Would stop achievement of the

objective1 2 3 4 5

Insignificant Minor Moderate Major CatastrophicExpected in most circumstances. Has occurred on almost an annual basis in ACCC in the past or circumstances are in train that wil cause it to happen.

A Almost Certain L M H E E

Has occured in the last few years in teh ACCC or has occurred recently in other similar agencies or cirmcumstances have occurred that will cause it to happen in teh short term.

B Likely L M H H E

Has occurered at least once in the history of ACCC or is considered to have 5% chance of occurring in the current planning cycle.

C Possible L M M H HHas never occurred in the ACCC but has occurred infrequently in other similar agencies or is considered to have around a 1% chance of occurring in the current planning cycle.

D Unlikely L L M M H

Exceptional circumstances only. Is possible but has not occurred to-date in any similar agency and is considered to have very much less than 1% chance of occurring in teh current planning cycle.

E Rare L L L M M

Like

lihoo

d

Consequence

Risk Level:(E)xtreme The risks requires a detailed action or plan to be implemented

(H)igh The risks require senior management attention

(M)edium The risk requires management responsibility to be specified

(L)ow The risk should be managed by routine procedures.

July 2014 Fraud Control Plan 2014 -2016 Page 15

Page 16: [Document title] · Web view3.5.Summary of fraud risks10 4.Fraud reporting, investigation and prosecution10 4.1.Detection of fraud10 4.2.How to report fraud11 4.3.Protection of person

Risk AppetiteThe matrix below provides a guide as to whether a risk could be deemed acceptable based on the likelihood and consequence of the risk occurring. Risks deemed as unacceptable should be reviewed to identify strategies to further mitigate the risks in order to bring them within the acceptable range.

1 2 3 4 5Insignificant Minor Moderate Major Catastrophic

A Almost CertainA A U U U

B LikelyA A U U U

C PossibleA A A U U

D UnlikelyA A A A U

E RareA A A A A

A = Acceptable U = Unacceptable

Like

lihoo

d

Consequence

July 2014 Fraud Control Plan 2014 -2016 Page 16

Page 17: [Document title] · Web view3.5.Summary of fraud risks10 4.Fraud reporting, investigation and prosecution10 4.1.Detection of fraud10 4.2.How to report fraud11 4.3.Protection of person

Attachment B—Fraud risk register

REDACTED

June 2016 Fraud Control Plan 2017 - 2019 Page 17

Page 18: [Document title] · Web view3.5.Summary of fraud risks10 4.Fraud reporting, investigation and prosecution10 4.1.Detection of fraud10 4.2.How to report fraud11 4.3.Protection of person

Fraud Incident RegisterDate of report Person taking report Person making

reportParticulars of suspected fraud, including details of persons suspected of involvement (including position and location if internal), dates of offence, method used to perpetrate the fraud.

Attachment C—Agency Organisation Chart as at June 2016Attachment D—Agency Fraud incident registerBelow is an extract of the headings of information that the fraud incident register holds. It is stored electronically at D14/89095 and due to the sensitive nature of its contents it has been locked down to the FCO.

June 2016 Fraud Control Plan 2017 - 2019 Page 18